Ref: https://learn.cantrill.io/courses/1820301/lectures/41301383 , https://learn.cantrill.io/courses/1820301/lectures/41301384 and https://learn.cantrill.io/courses/1820301/lectures/41301385

• Contents:

PART 1: Create a VPC Interface Endpoint (IE) to use Instance Connect on a private EC2 instance

1. EC2 instance is in private subnet sn-app-A. By default we can't connect to it via Instance Connect since it doesn't have a public IP
2. We can however use Instance Connect if we create a VPC IE in sn-app-A. That can be done from Instance Connect UI (”EC2 Instance Connect Endpoint”) or directly from VPC UI (“Endpoints”)
   • Interesting option: Preserve Client IP
3. Once endpoint is created, we can use Instance Connect to access private instance
   • If we didn't preserve client IP and we relogin to instance, we see the EI's IPv4 address in the instance's CLI as “last login”

PART 2: Create a VPC Gateway Endpoint (GWE) to access S3 privately

1. Private instance in sn-app-A can't access public internet. It also can't access S3, which is public service
   • Executing ping 1.1.1.1 inside instance doesn't respond
   • Executing aws s3 ls won't show anything either
2. Let's create a GWE for S3
   • Go to VPC → Endpoints → Create Endpoint → Type: AWS Services → filter by “s3” → type: Gateway
     • We could also use an interface endpoint for S3 nowadays
   • ❗ Select the main route tables in the VPC (they refer to RTs in private subnets)
3. When endpoint is created, private instance can now access S3!
   • Executing aws s3 ls shows the buckets in the account
   • We can copy an object from the bucket into the EC2 instance (upload to S3 first): aws s3 cp s3://<BUCKETNAME>/supersecret.txt supersecret.txt
   • And then see its contents: cat supersecret.txt → We should see the message!
4. Instance is still private, without internet access: ping 1.1.1.1 does NOT respond!

PART 3: Create an Egress-only IGW for a private IPv6 instance

1. Our EC2 instance in sn-app-A has an IPv6 address, but currently the VPC has no IGWs and we can't access the internet
   • ping -6 ipv6.google.com doesn't respond
2. Let's create an EIGW
   • Go to VPC → Egress only internet gateway → Create EIGW → Attach it to A4L-VPC
3. Now update Route Table in the main subnets of A4L-VPC
   • Add a default IPv6 route ::/0 with EIGW as target
4. Now instance can access internet with IPv6 routing:
   • ping -6 ipv6.google.com responds :)
5. 💡 EXTRA: not covered in the original demo… can you prove that another instance in a different VPC can't ping our EC2 instance with IPv6 addressing? ;)